Why do you want a privacy-enabled address on the WAN interface anyways?
Whether clients in your LAN use Privacy-Extensions or Stable-Secret-Addresses is up to the clients. OpenWrt doesn't do this. OpenWrt just announces a prefix to your LAN. The clients will assign addresses according to this.
Anyway, looking at the original post, @daiaji doesn't want PE on the OpenWrt. At least that's what I derive from the firewall rule. He wants people to access his web server which is a LAN client behind OpenWrt. He seems to be under the impression that OpenWrt handles the assignment of IPv6 addresses for clients.
Furthermore, if the WAN-IPv6 of the OpenWrt box is assigned by DHCPv6/PPPoE, it won't contain the MAC address anyways.